Method and apparatus for providing security in a radio frequency identification system

ABSTRACT

One aspect involves receiving by a tag of wireless communications that utilize a first security provision, and wireless communications that utilize a second security provision different from the first security provision. A different aspect involves receiving by an entity of an authentication request that is based on a first digital certificate unknown to the entity, and determining by the entity, without external authentication of the first digital certificate, whether the first digital certificate is in a trust relationship with a second digital certificate that is different from the first digital certificate and that is known to the entity.

This application claims the priority under 35 U.S.C. §119 of provisionalapplication No. 60/951,334 filed Jul. 23, 2007, the disclosure of whichis hereby incorporated herein by reference.

FIELD OF THE INVENTION

This invention relates in general to radio frequency identificationsystems and, more particularly, to techniques for protecting informationin radio frequency identification systems.

BACKGROUND

Radio frequency identification (RFID) systems are used in a variety ofdifferent applications. As one example, RFID systems are commonly usedto track and monitor shipping containers or other objects. RFID tags areattached to the containers or other objects, and can exchange wirelesscommunications with stationary interrogators. In order to provide endusers with compatibility among components obtained from differentmanufacturers, an international industry standard for RFIDcommunications has been developed and promulgated by the InternationalOrganization for standardization (ISO) in Geneva, Switzerland. Thisstandard is commonly known as the art as the ISO 18000-7 standard.

Although the ISO 18000-7 standard been very beneficial, it offers littlein the way of security for information. For example, the standard doesnot allow wireless messages to be encrypted, nor does it have anybuilt-in extension mechanism that would permit the definition ofproprietary messages within the protocol, such as proprietary messageswith security provisions. Consequently, information transmitted inwireless messages under the ISO 18000-7 standard is fully visible to anyentity that elects to receive the wireless messages. A third party maybe able to emulate or interfere with ISO 18000-7 messages in variousdifferent ways. Consequently, while the ISO 18000-7 standard has beenadequate and beneficial for its intended purposes, it has not beenentirely satisfactory in all respects.

BRIEF DESCRIPTION OF THE DRAWINGS

A better understanding of the present invention will be realized fromthe detailed description that follows, taken in conjunction with theaccompanying drawings, in which:

FIG. 1 is a block diagram of an apparatus that is a radio frequencyidentification (RFID) system, and that embodies aspects of the presentinvention.

FIG. 2 is a block diagram of a conventional RFID system in which aninterrogator and a tag exchange wireless communications conforming to anindustry standard known as ISO 18000-7.

FIG. 3 is a diagram showing a data format used within the ISO 18000-7standard.

FIG. 4 is a diagram showing a highly-generalized message format usedunder the ISO 18000-7 standard.

FIG. 5 is a block diagram showing a portion of the system of FIG. 1, andshowing selected aspects of computer programs executed by some of thedepicted components.

FIG. 6 is a diagram showing in more detail certain informationmaintained and used in the system of FIG. 5.

FIG. 7 is a table showing examples of five protection suites used withinthe system of FIG. 5, each protection suite being a combination of anencryption technique and an authentication technique.

FIG. 8 is a diagram showing how an ISO 18000-7 message is compressed,encrypted and fragmented for purposes of transmission within the systemof FIG. 5.

FIG. 9 shows a data storage format that is used for certaincryptographic information within the system of FIG. 5.

FIG. 10 is a diagram showing four ISO 18000-7 envelope messages that canbe used in the system of FIG. 5 to transmit fragments of another ISO18000-7 message.

FIG. 11 is a diagram similar to FIG. 10, but showing four ISO 18000-7envelope messages of a different type.

FIG. 12 is a diagram showing an ISO 18000-7 message 501 that is usedwithin the system of FIG. 5 to send separately protected segments ofuniversal data block (UDB) information to respective differentrecipients.

FIG. 13 is a flowchart showing part of a procedure used to initialize anRFID tag in the system of FIG. 5.

FIG. 14 is a diagram showing three different sites that aregeographically spaced from each other, and that each utilize an RFIDsystem of the type shown in FIG. 5.

DETAILED DESCRIPTION

FIG. 1 is a block diagram of an apparatus that is a radio frequencyidentification (RFID) system 10, and that embodies aspects of thepresent invention. The system 10 includes two interrogators 12 and 13,an RFID tag 16, and a network 18. FIG. 1 also shows several users 21-24that can each use or interact with the system 10. A user may be anindividual, an entity, a computer, or some other automated device. FIG.1 is not intended to depict the entire RFID system. For example, thesystem actually includes a plurality of the tags 16, and moreinterrogators than just the two that are shown at 12 and 13. FIG. 1shows only selected portions of the RFID system that facilitate anunderstanding of the present invention.

The tag 16 is a mobile, battery-operated device, and can communicate ina wireless manner with each of the interrogators 12 and 13, inparticular by exchanging radio frequency (RF) wireless signals 28. Inthe disclosed embodiment, all of the wireless signals 28 conform to anexisting international industry standard known as ISO 18000-7. Thisinternational standard was promulgated by the International Organizationfor Standardization (ISO), headquartered in Geneva, Switzerland. Personsskilled in the art are familiar with the ISO 18000-7 standard. Forbrevity and clarity in the discussion that follows, the term “ISO” isused as a shorthand way to refer to the ISO 18000-7 standard, and shouldbe understood to be a reference to the ISO 18000-7 standard, rather thana reference to the ISO organization itself.

The circuitry within the tag 16 includes a processor 41 that is coupledto a memory 42. The memory 42 in FIG. 1 is a diagrammatic representationof two or more different types of memory, including but not limited toread-only memory (ROM), random access memory (RAM), and flash memory.The memory 42 contains a program 43 that is executed by the processor41, and data 44 that is utilized by the program 43. The circuitry of thetag also includes a serial port 51, through which a not-illustratedexternal computer or other device can communicate serially with theprocessor 41. The tag 16 has an internal clock circuit 52 with anot-illustrated oscillator, allowing the tag 16 to maintain a record ofthe current date and time.

The circuitry of the tag further includes a radio frequency (RF)receiver 46 that is coupled to the processor 41 and to an antenna 47.The processor 41 can receive wireless signals 28 through the antenna 47and receiver 46. The tag also includes an RF transmitter 48 that iscoupled to the processor 41 and to an antenna 49. The processor 41 cantransmit wireless signals 28 through the transmitter 48 and the antenna49.

The interrogator 13 is a portable, battery-operated, handheld devicethat can be manually operated by a user 24 who is an individual. Thecircuitry in the interrogator 13 includes a processor 56 that is coupledto a memory 57. The memory 57 is a diagrammatic representation ofvarious different types of memory, including but not limited to ROM, RAMand flash memory. The memory 57 contains a program 58 that is executedby the processor 56, as well as data 59 that is used by the program 58.The interrogator 13 includes an RF transmitter 61 that is coupled to theprocessor 56 and to an antenna 62. The processor 56 can transmitwireless signals 28 through the transmitter 61 and the antenna 62. Theinterrogator also includes an RF receiver 63 that is coupled to theprocessor 56 and to an antenna 64. The processor 41 can receive wirelesssignals 28 through the antenna 64 and the receiver 63. The handheldinterrogator 13 further includes a keypad 66 that is coupled to theprocessor 56. The user 24 can manually operate the keypad 66 in order toenter information into the interrogator 13.

The interrogator 12 includes a site manager 71 and a reader 72 that areoperatively coupled at 73. In the disclosed embodiment, the coupling 73between the site manager 71 and reader 72 is hardwired rather thanwireless, and in particular is a network that may conform to awell-known network protocol known as the Ethernet protocol.Alternatively, however, the site manager 71 and reader 72 could becoupled in any other convenient manner, and could even communicate usingwireless signals. Within a given site, such as a shipping hub, there maybe a plurality of the readers 72 that are provided at spaced locationsand that are all coupled to the site manager 71 through the network 73.However, for simplicity and clarity, FIG. 1 shows only a single reader72.

As explained earlier, the wireless signals 28 conform to the ISO 18000-7industry standard, and the discussion below will focus to some extent onthis industry standard. In the real world, the site manager 71 andreader 72 are separate and independent devices that are physically andfunctionally distinct. However, the ISO 18000-7 standard basicallyrecognizes two general categories of devices, one of which is tags, andthe other of which is interrogators. Therefore, for simplicity andclarity in the discussion that follows, the site manager 71 and thereader 72 are collectively referred to herein as an interrogator 12. Inaddition, and for simplicity and clarity, the reader 72 is consideredherein to be essentially a pass-through device, which facilitates theexchange of ISO messages 28 between the site manager 71 and the tag 16,but without making substantive alterations to any of the messagestraveling in either direction.

The reader 72 includes a circuit 76. An RF transmitter 81 is coupled tothe circuit 76, and to an antenna 82. The circuit 76 can transmitwireless signals 28 through the transmitter 81 and the antenna 82. An RFreceiver 83 is coupled to the circuit 76 and to an antenna 84. Thecircuit 76 can receive wireless signals 28 through the antenna 84 andthe receiver 83.

The site manager 71 includes a processor 86 that is coupled to a memory87. The memory 87 is a diagrammatic representation of various differenttypes of memory, including but not limited to ROM, RAM and flash memory.The memory 87 stores a program 88 that is executed by the processor 86,and also stores data 89 that is used by the program 88.

The user 21 can interact with the site manager 71. For example, the sitemanager 71 may include a not-illustrated terminal, and the user 21 maybe an individual who interacts with the site manager through thatterminal. The network 18 is operatively coupled to a network port of thesite manager 71. The network 18 may include one or more of the Internet,an intranet, some other type of computer network, or a combination oftwo more such networks. The users 22 and 23 can communicate with thesite manager 71 through the network 18. The users 22 and 23 may, forexample, be individuals who are using personal computers or otherterminals that are coupled to the network 18. Alternatively, the users22 and 23 may be automated systems that are operatively coupled to thenetwork 18. For example, the user 22 could be a site manager that issimilar to the site manager 71, but that is located in a different siteat a physically remote location.

As evident from the foregoing discussion, the tag 16 and theinterrogators 12 and 13 each include both hardware and software (wherethe software may include firmware). In the embodiment of FIG. 1, thehardware in the interrogators 12 and 13 and in the tag 16 is entirelyconventional. The new and unique characteristics discussed herein areembodied in the software, including the programs 43, 58 and 88 executedby the various processors in the tag 16 and interrogators 12 and 13. Thenew and unique characteristics in the program 88 of the interrogator 12are essentially the same as those in the program 58 of the interrogator13. Accordingly, for simplicity and to avoid redundancy, the discussionthat follows will focus on the distinctive characteristics of theprogram 88 in the interrogator 12, as well as the distinctivecharacteristics of the program 43 in the tag 16. But before beginning adetailed discussion of the new and unique characteristics of theprograms 88 and 43, it will be helpful to first briefly discuss thecomputer programs used in a conventional interrogator and tag.

In this regard, FIG. 2 is a block diagram of a system 10A that includesan interrogator 12A and a tag 16A that can exchange wirelesscommunications 28 conforming to the ISO 18000-7 standard. In FIG. 2,components that are the same as or similar to components in FIG. 1 areidentified with the same or similar reference numerals. For the purposeof this discussion, it is assumed that the hardware of the interrogator12A of FIG. 2 is identical to the hardware of interrogator 12 of FIG. 1,and that the differences between these interrogators reside in thecomputer programs within them. Similarly, it is assumed that thehardware of the tag 16A of FIG. 2 is identical to the hardware of thetag 16 of FIG. 1, and that the differences between these tags reside inthe computer programs within them. In FIG. 1, the subject matterdepicted within the interrogator 12 and within the tag 16 representsprimarily a high-level view of their hardware configurations. Incontrast, in FIG. 2, the subject matter depicted within the interrogator12A and within the tag 16A represents selected high-level aspects of thecomputer programs within the interrogator 12A and tag 16A.

In more detail, with reference to FIG. 2, the computer program in theinterrogator 12A includes an application program 101. The datamaintained by the application program 101 includes an interrogatoridentification code 103 that uniquely identifies the particularinterrogator 12A. As mentioned earlier, a given site may includemultiple interrogators and multiple tags, such that a given tag may becarrying on communications with more than one interrogator, and a giveninterrogator may be carrying on communications with more than one tag.Accordingly, when the interrogator 12A transmits a wireless ISO messageat 28, the interrogator includes in the message its interrogatoridentification code 103, so that any tag receiving that message willknow which particular interrogator sent the message.

The computer program executed in the tag 16A includes an applicationprogram 111. The application program 111 maintains a database of ISOtables 116, and examples of two ISO tables are shown diagrammatically at117 and 118. The application program 111 includes a segment of usermemory 121, and maintains a tag manufacturer identification code 122that uniquely identifies the company that manufactured the tag 16A. Theapplication program 111 also maintains a tag model number 123corresponding to the tag 16A, and a tag serial number 124 that is uniqueto the particular tag 16A. The application program 111 further maintainsa user-assigned identification code 125 that can be set and/or read byan external user, such as one of the users 21-23.

In addition, the application program 111 maintains a routing code 126.For example, if the tag 16A happen to be mounted on a container that isbeing shipped from a manufacturer to a remote shipping hub, and thenfrom the shipping hub to a customer, the routing code 126 may be a codethat identifies the particular shipping route. The application program111 also contains a firmware revision number 127 identifying theparticular version of the software/firmware computer program that iscurrently installed in the tag 16A. Further, the application program 111maintains a tag password 128. If password protection in the tag isenabled, and if one of the users 21-23 wishes to communicate with thetag, then the user will first need to supply the tag with the correctpassword.

As discussed above, the interrogator 12A and the tag 16A exchangewireless communications 28 that conform to the ISO 18000-7 industrystandard. FIG. 3 is a diagram showing one common data format 141 that isused within ISO 18000-7 messages. This data format 141 includes threefields, which are a type or “T” field 142, a length or “L” field 143,and a value or “V” field 144. Combining the first letters of the namesof these fields yields the acronym “TLV”, and thus the data format 141is commonly referred to as the “TLV” format. The type field 142 containsa code that uniquely identifies the type of data present in the valuefield 144. The length field 143 defines the length the value field 144,and in particular contains a number that represents the number of bytespresent in the value field 144. The value field 144 contains one or moredata elements (and each such data element may itself also have the TLVformat). Persons skilled in the art are thoroughly familiar with the TLVdata format shown in FIG. 3.

Referring again to FIG. 2, and as explained earlier, wireless messages28 exchanged between the interrogator 12A and the tag 16A conform to theISO 18000-7 standard. These ISO messages can have a variety of differentformats. These formats are all defined in detail in the ISO 18000-7specification, and they are therefore not all illustrated and describedhere in detail. Instead, FIG. 4 is a diagram showing ahighly-generalized format 151 that is used for many types of ISOmessages under the ISO 18000-7 standard. The message format 151 includesa section 153 of ISO headers, which is a collection of several differentfields. The particular set of fields that are present at 151 will varysomewhat from message to message. For example, the ISO headers 153always include a not-illustrated protocol identification field. The ISOheaders 153 will typically also include the interrogator identificationcode 103 (FIG. 2) when the message is being transmitted by theinterrogator 12A, but not if the message is transmitted by the tag 16A.Conversely, the ISO headers 153 will typically include the tag serialnumber 124 (FIG. 2) if the message is being transmitted by the tag 16A,but not if the message is being transmitted by the interrogator 12A.There are other fields that can also be present in the ISO headers 153,but since they are well known in the art, they are not all discussed indetail here.

The format 151 also includes a command code 154 to tell a receivingdevice what it is expected to do, a field 155 containing data and/orarguments for the command code 154, and an error checking field 156. Theerror checking field 156 typically contains a cyclic redundancy code(CRC) of a known type.

In regard to the command code shown at 154 in FIG. 4, Table 1 givesexamples of some commands that the interrogator 12A of FIG. 2 can sendto the tag 16A. It will be noted that some of these commands allow theinterrogator 12A to read or write the user-assigned identification code125 (FIG. 2), the routing code 126, or the user memory 121. Othercommands allow the interrogator 12A to read the firmware revision number127, or the tag model number 123. Still other commands allow theinterrogator 12A to change the tag password 128, and to engage ordisengage password protection. Still other commands allow theinterrogator 12A to create a table within the database 116 of ISOtables, to write information into a table, or to read information from atable. Another command instructs the tag to enter a low-power “sleep”mode in which most (but not all) of the circuitry in the tag is turnedoff in order to conserve battery power. Still another command turns onor off a not-illustrated audible beeper that is located within the tag.Table 1 does not list all of the commands that exist under the ISO18000-7 standard, but merely gives examples of some of those commands.

TABLE 1 COMMAND COMMAND CODE NAME DESCRIPTION 0x15 Sleep Put tag tosleep 0x13 User ID Read user-assigned ID 0x93 User ID Writeuser-assigned ID 0x09 Routing Read routing code Code 0x89 Routing Writerouting code Code 0x0C Firmware Retrieve firmware Revision revisionnumber 0x0E Model Retrieve tag model Number number 0x60 Read/ Read usermemory Memory 0xE0 Write Write user memory Memory 0x95 Set Set tagpassword Password 0x17 Set Engage password Password protection protect0x97 Set Disengage password Password protection protect 0x96 UnlockUnlock password protected tag 0x70 Read Read Universal Data UniversalBlock Data Block 0x26 Table Create database Create table 0x26 Table AddPrepare to add new Records records to specified database table 0x26Table Prepare to modify Update specified table Records records 0x26Table Prepare to update Update specified fields of Fields a table record0x26 Table Delete existing Delete record from existing Record databasetable 0x26 Table Get Prepare to retrieve Data specified table records0x26 Table Get Get total number of Properties records and size of eachfield 0x26 Table Retrieve block of Read data from table, as Fragmentinitiated by Table Get Data command 0x26 Table Write block of data Writeinto table, as Fragment initiated by Table Add Records, Table UpdateRecords, or Table Update fields command 0x26 Table Initiate table Querysearch based on specified criteria 0xE1 Beep Turns tag's beeper On/OffOn or Off 0x8E Delete Delete all allocated Writeable writeable data onData tag

In the discussion that follows, messages that are sent from theinterrogator 12A to the tag 16A and that involve security fall generallywithin one of three different categories. First, even when a number ofthe tags are present, the interrogator 12A can select any one of thetags and send a message specifically to that one particular tag, andthen expect a single response from that tag. This type of message isknown as a Point-2-Point or “P2P” message.

In a second category of messages, the interrogator 12A can broadcast asingle message to all of the security-enabled tags that are currentlywithin the wireless transmission range of that particular interrogator.As one example, the interrogator can send one or more ISO “table query”broadcast messages to multiple tags, followed by an ISO collection querybroadcast message. The interrogator then expects a single separateresponse from each individual tag. Messages in this category arereferred to in this discussion as table query broadcast messages.

A third category of ISO messages is referred to as universal data blockor “UDB” collection. In particular, the interrogator 12A can broadcastto multiple tags a common message that instructs each tag to formulateand send back a UDB data block. Each tag then prepares a UDB data blockthat has a predefined format, and that typically contains multiple itemsof data. For example, under the ISO 18000-7 standard, the UDB data blockmay include tag identification information (discussed in more detaillater), and/or a routing code. Under proprietary extensions, variousother data items could also be present. The various data elements in theUDB are typically each presented in the TLV format discussed above inassociation with FIG. 3. After each tag has prepared its UDB, the tagsends its UDB back to the interrogator 12A in a wireless message 28 thatconforms to the ISO 18000-7 standard.

In FIG. 2, and as mentioned above, all of the wireless messages 28 sentbetween the interrogator 12A and the tag 16A conform to the ISO 18000-7standard. But one resulting disadvantage is that these messages are notsecure. For example, since these messages are sent as RF communications,a third party can easily receive these messages and/or transmit similarmessages, and thus eavesdrop on or interfere with communications betweenthe interrogator 12A and the tag 16A. For example, if the tag 16Atransmits a wireless message that includes a UDB with a routing codetherein, a third party can receive that RF message and thus learnrouting information of the tag and any associated object such as acontainer. what is in the container. As another example, a third-partydevice can emulate a tag, and the interrogator 12A will not necessarilybe able to tell that it is talking to an imposter rather than an actualvalid tag.

As still another example, a third-party device can emulate aninterrogator and communicate with the tag 16A. The tag will not knowthat it is communicating with an imposter rather than an actual validinterrogator. If the tag currently has password protection disabled, thethird party device will be able to read or write data present within thetag, possibly in support of a fraudulent purpose. Moreover, if a validinterrogator happens to send the tag 16A a message that includes thecurrent password for the tag, a third-party device can receive themessage and learn the password. Using the password, the third-partydevice will have full read and write access to the tag. Moreover, usingthe current password, the third-party device could even replace thecurrent password with a new password, thereby preventing a validinterrogator from subsequently communicating with the tag.

In order to avoid these and various other similar problems, it would bedesirable to have some level of security for wireless ISO messages 28being exchanged between the interrogator 12A and the tag 16A, whilestill complying with the ISO 18000-7 standard. However, the ISO 18000-7standard does not have any provision for security in the wirelessmessages 28, through the use of encryption or otherwise. Moreover, theISO 18000-7 standard does not have any built-in extension mechanism thatwould permit the definition of proprietary messages within the protocol,such as proprietary messages with security provisions. In order toaddress this, one aspect of the present invention involves the provisionof a high level of security for information exchanged between aninterrogator and a tag, while still remaining fully compatible with theexisting ISO 18000-7 standard. Moreover, this is structured so that itinvolves only a firmware upgrade in each interrogator and each tag,without any hardware change. Consequently, existing interrogators andtags can be relatively easily and cheaply upgraded, without the need toincur the expense of completely replacing them, or the hassle andexpense of hardware alterations.

In more detail, FIG. 5 is a block diagram showing a selected portion ofthe system 10 of FIG. 1, including the interrogator 12, the tag 16, thenetwork 18 and the users 21-23. As noted above, the subject matterdepicted in FIG. 1 within the interrogator 12 and within the tag 16represents primarily a high-level view of their hardware configurations.In contrast, in FIG. 5 the subject matter depicted within theinterrogator 12 and the tag 16 represents selected high-level aspects ofthe computer programs within the interrogator and tag. In this regard,FIG. 5 is similar in some respects to FIG. 2. It will be noted that thefirmware of the interrogator 12 includes the conventional applicationprogram 101 that was discussed above in association with FIG. 2, and thefirmware in tag 16 includes the conventional application program 111that was discussed above in association with FIG. 2. The primarydifference between FIG. 5 and FIG. 2 is that in FIG. 5 the firmware inthe interrogator 12 includes an additional module in the form of asecurity shim 201, and the firmware in the tag 16 includes an additionalmodule in the form of a security shim 202.

Conceptually, the security shim 201 is disposed between the applicationprogram 101 and the wireless messages 28 that are exchanged between theinterrogator 12 and the tag 16. Similarly, the security shim 202 isconceptually disposed between the application program 111 and thewireless messages 28. If the application program 101 in the interrogator12 wishes to securely transmit an ISO message to the application program111 in the tag 16, the security shim 201 takes that ISO message, usesencryption and authentication techniques to add a level of security, andthen sends a wireless message at 28 that contains the encrypted messagewith authentication information, while being fully compliant with ISO18000-7. The security shim 202 in the tag then uses decryption torecover the original ISO message, and delivers that message to theapplication program 111. Similarly, if the application program 111 inthe tag 16 has an ISO message to be securely transmitted to theapplication program 101 in the interrogator 12, the security shim 202uses encryption to add a level of security, and then transmits awireless message at 28 that contains the encrypted message but is fullyISO 18000-7 compliant. The security shim 201 in the interrogator thenuses decryption to recover the ISO message, and delivers that message tothe application program 101.

The security shims 201 and 202 are effectively transparent to theapplication programs 101 and 111. Moreover, even though the ISO messagesexchanged at 28 in FIG. 5 differ in some respects from the messages thatwould be exchanged if the security shims 201 and 202 were not present,the messages exchanged at 28 are nevertheless all fully compliant withISO 18000-7. Thus, the security shims 201 and 202 are transparent fromthe perspective of ISO compliance, because the messages 28 do notviolate any of the requirements of the ISO 18000-7 standard.

Some of the information maintained by each of the security shims 201 and202 will now be briefly identified. Then, an explanation will beprovided as to how this information is used during system operation.Beginning with the security shim 202 in the tag 16, the security shim202 maintains a security officer access control list 211. Whenever thetag is operational, the list 211 will include at least one securityofficer access control object 210 that in turn includes a digitalcertificate 212 known as the “root” certificate. The root certificate212 contains a PKI public key 213. In the disclosed embodiment, thecertificate 212 is a type of digital certificate conforming to anindustry standard that is known as the X.509 standard, promulgated bythe International Telecommunication Union (ITU) based in Geneva,Switzerland. Since this type of X.509 certificate is known in the art,it is not described here in detail.

In addition to the X.509 certificate 212, the access control object 210includes tag access information 214 that defines the level of accessthat will be permitted to the tag 16 through use of the associated X.509certificate. In a sense, the tag access information 214 can be viewed asa set of rules that govern access to the tag. In this regard, thesecurity scheme implemented by security shims 201 and 202 recognizesfour distinct levels of access to a tag, which are listed in Table 2.

TABLE 2 ROLE DESCRIPTION Tag Owner Installs on tag the access controlobject containing the root certificate, and distributes correspondingcertificates to security officer(s). Security Officer Can provisioncryptographic keysets on tag, and distribute them to authorized personsand entities. Can install and remove additional security officer accesscontrol objects on tag. Can install and remove UDB access controlobjects. Administrator Receives keysets that allow read-only and alsoread/write access to tag. Operator Receives keysets that allow justread-only access to tag.

In Table 2, the lowest level of access is that of an “operator”, who hasonly read-only access to information on the tag. The next higher levelof access is that of an “administrator”, who has read-only access, andalso read/write access. The next higher level is that of a “securityofficer”, who can take security-related actions in the tag that will bedescribed later, such as creating cryptographic keysets, and installingand removing digital certificates (other than the root certificate 212).The highest level of access is that of the tag owner, who has the powerto install and remove the access control object 210 containing the rootcertificate 212. This may, for example, be effected through the serialport 51, as indicated diagrammatically by a broken line 216. IN fact,the overall degree of security is enhanced where operators,administrators and security officers carry out secure communications inone manner (for example through wireless communications), while theaccess control object 210 containing the root certificate 212 isinstalled in a different manner (for example through the serial port51).

The tag access information at 214 indicates the maximum levels of accessthat can be obtained with the associated digital certificate 212. Inthis regard, the tag access information 214 indicates whether theassociated digital certificate can be used to create keysets forread-only access, and whether the associated certificate can be used tocreate keysets for read/write access. In the case of the rootcertificate 212, it will normally be permissible to create keysets forread-only access and keysets for read/write access. This does not meanthat everyone obtaining access with keysets created under thiscertificate will necessarily enjoy full access. For example, asdiscussed above in regard to Table 2, a person using operator keysetscreated under this certificate will be limited to read-only access, evenif the tag access information indicates that read/write access ispermissible. On the other hand, if the tag access information 214indicates that read/write access is not permitted, then it will not bepossible to create keysets under the associated certificate that wouldprovide read/write access.

It is possible for a security officer using a security officer keysetcreated under one certificate (such as the root certificate 212) tooptionally install one or more additional access control objects in thelist 211, for example as shown at 220. The tag access information forone of these other access control objects might indicate that creationof read-only keysets under the associated certificate 221 is permitted,but that creation of read/write keysets under that further certificateis prohibited. If a security officer is using a security officer keysetcreated under an existing certificate in an existing access controlobject, and installs a further access control object, the tag accessrights for that further object must not exceed the tag access rights inthe existing object under which the security officer keyset was created.

The security shim 202 also maintains a further list 226 that is auniversal data block (UDB) recipient list. The list 226 may be empty, ormay optionally contain one or more UDB access control objects. Forexample, reference numeral 227 designates a UDB access control objectcontaining a digital certificate 225 of a UDB recipient. In thedisclosed embodiment, the UDB certificate 225 is an X.509 certificate,and contains a PKI public key 228. The UDB access control object 227further includes UDB access information 229. The list 226 may optionallyinclude a second UDB access control object 231 containing a digitalcertificate 230 with a public key 232, and UDB access information 233.It would be possible to combine the lists 211 and 226 into a single listthat contains both types of access control objects. But for clarity inthis discussion, two separate lists 221 and 226 are shown and described.In a sense, the UDB access information 229 and the UDB accessinformation 233 can each be viewed as a set of rules that govern accessto UDB information, as discussed below.

When the tag 16 receives an ISO message asking that the tag formulateand return a UDB, the UDB access control objects in the list 226identify the persons or entities who will be the ultimate recipients ofthe tag's UDB information. In response to the ISO message presenting theUDB request, the application program 111 in the tag 16 collects all ofthe UDB information that is present within the tag. The security shim202 in the tag intercepts this UDB information from the applicationprogram 111, uses the UDB access control objects in the list 226 toidentify UDB recipients, and prepares a respective separate block of UDBdata for each UDB recipient identified by the UDB access control objects227 and 231 in the list 226. The security shim 202 does not necessarilypass all of the UDB information on to each of the recipients identifiedby the respective access control objects in the list 226. Instead, theUDB access information 229 or 233 in each access control object defineswhich items of UDB information will be received by the associatedrecipient.

For example, assume that the UDB information provided by the applicationprogram 111 is a set of N data elements Data 1 through Data N. Data 1might be tag identification information, Data 2 might be a routing code,and Data N might be some other type of data. FIG. 6 is a diagram showingthe UDB access information 229 associated with the UDB access controlobject 227, and also the UDB access information 233 associated with theUDB access control object 231. It will be noted that the UDB accessinformation 229 associated with access control object 227 indicates theassociated recipient is permitted to receive each of data elements Data1, Data 2, and Data N (and possibly other UDB data elements that arebetween Data 2 and Data N). In contrast, the access information 233associated with access control object 231 indicates the associatedrecipient is entitled to receive data element Data 1 (and possibly otherdata elements between Data 2 and Data N), but not data element Data 2 ordata element Data N.

With reference to FIG. 5, the security shim 202 also maintains UDBprotection status information 241. This information identifies the dataelements in the tag's UDB information that will be protected byencryption and authentication, and the data elements that will not beprotected. Referring again to FIG. 6, the UDB protection statusinformation 241 is depicted twice, once in association with UDB accessinformation 229, and again in association with UDB access information233. In the exemplary embodiment, the UDB protection status information241 indicates that data elements Data 2 and Data N will be protected,but that data element Data 1 will not be protected.

Since the UDB access information 229 indicates that the associatedrecipient is entitled to receive each of data elements Data 1, Data 2and Data N, then when the security shim 202 receives UDB informationfrom the application program 111 (including data elements Data 1 throughData N), the security shim 202 will formulate a UDB block for thatrecipient which includes each of Data 1, Data 2 and Data N (and possiblyother data elements between Data 2 and Data N). Further, since UDBprotection status 241 indicates that Data 2 and Data N need to beprotected, the security shim 202 would encrypt data elements Data 2 andData N. More specifically, the security shim 202 would generate a randomkey, use the random key to separately encrypt each of Data 2 and Data N,and then encrypt the random key with that recipient's public key 228.

Similarly, since the UDB access information 233 for the other UDB accesscontrol object 231 indicates that the associated recipient is entitledto receive data element Data 1 but not data elements Data 2 and Data N,then when the security shim 202 receives UDB information from theapplication program 111, the security shim 202 will formulate a UDBblock for that recipient which includes Data 1 (and possibly other dataelements between Data 2 and Data N), but not data elements Data 2 andData N. The UDB protection status information 241 indicates that dataelements Data 2 and Data N need to be protected, but this recipient isnot receiving those data elements. This recipient is receiving dataelement Data 1, but the UDB protection status information 241 indicatesthat data element Data 1 does not need to be protected. Therefore, dataelement Data 1 would not be encrypted.

As discussed earlier, the application program 111 maintains a database116 of ISO 18000-7 tables, and examples of two of these tables are shownat 117 and 118. The security shim 202 maintains a database 249 of threevirtual ISO tables, which are a P2P Request Table 251, a P2P ResponseTable 252, and a Broadcast Request Table 253. These are referred to asvirtual tables, because the application program 111 of the tag is notaware they exist. There are standard ISO commands that can be used toaccess ISO tables in the database 116, and the security shim 201 can usethese same standard ISO commands to access the virtual ISO tables251-253, as discussed in more detail later.

The security techniques used by the security shims 201 and 202 involveboth (1) a cryptographic technique used to encrypt and decryptinformation, and (2) an authentication technique used to authenticateinformation received in wireless ISO messages 28. The security shims 201and 202 are each capable of working with any of several differentcryptographic techniques, and with any of several differentauthentication techniques. A combination of one particular encryptiontechnique and one particular authentication technique is referred toherein as a “protection suite”. The security shim 202 maintains a list258 of the protection suites with which it is compatible. FIG. 7 is atable showing examples of five protection suites, which are theprotection suites with which the security shim 202 is compatible. Thesefive protection suites are merely exemplary, and it would be possiblefor the list 258 to contain a larger or smaller number of protectionsuites. It will be noted that the last protection suite in FIG. 7 is aNULL-NULL protection suite that does not use either encryption orauthentication. This particular suite is utilized for a special purposethat is discussed in more detail later. The protection suite list 258 inthe security shim 202 will always include the NULL-NULL protectionsuite, along with at least one other protection suite.

Referring again to FIG. 5, the security shim 202 maintains a keysettable 270 that can store four different cryptographic keysets 271-274.With reference to FIG. 5 and Table 2, the keyset 271 is a securityofficer (SO) keyset that can be used by a security officer when readinginformation from or writing information to the tag 16. Thus, the keyset271 can be said to be bidirectional, in that it can be used for messagessent to the tag and also messages sent by the tag. The keyset 272 is aread-only keyset, and is used for messages that are sent to the tag byanyone other than a security officer, and that do not seek to change anyinformation within the tag. The keyset 272 is unidirectional, in that itis used only for messages sent to the tag, and not for any messages sentby the tag. The keyset 273 is a read/write keyset, and can be used formessages that are sent to the tag by anyone other than a securityofficer, and that seek to change information within the tag. The keyset273 is unidirectional, in that it is used only for messages sent to thetag, and not for any messages sent by the tag. The keyset 274 is a tagresponse keyset, and is used for messages sent by the tag to anyoneother than a security officer. The keyset 273 is unidirectional, in thatit is used only for messages sent by the tag, and not for any messagessent to the tag.

Still referring to FIG. 5 and Table 2, a person or entity with operatorstatus would be given the read-only keyset 272 and also the tag responsekeyset 274. A person or entity with administrator status would be giventhe read-only keyset 272, the read/write keyset 273, and the tagresponse keyset 274. A security officer would use the security officerkeyset 271 to carry out certain tasks specific to security officers.

Table 3 is an expanded version of Table 1, showing examples of some ISOcommands for which the read-only keyset 272 is used, and examples ofother ISO commands for which the read/write keyset 273 is used. Thecommands in Table 3 are merely exemplary, because Table 3 does not showall ISO commands. Where the tag replies to any command in Table 3, thetag would use the tag response keyset 274.

TABLE 3 COMMAND COMMAND APPLICABLE CODE NAME DESCRIPTION KEYSET 0x15Sleep Put tag to sleep Read/Write 0x13 User ID Read user-assignedRead-only ID 0x93 User ID Write user-assigned Read/Write ID 0x09 RoutingRead routing code Read-only Code 0x89 Routing Write routing codeRead/Write Code 0x0C Firmware Retrieve firmware Read-only Revisionrevision number 0x0E Model Retrieve tag model Read-only Number number0x60 Read/ Read user memory Read-only Memory 0xE0 Write Write usermemory Read/Write Memory 0x95 Set Set tag password Read/Write Password0x17 Set Engage password Read/Write Password protection protect 0x97 SetDisengage password Read/Write Password protection protect 0x96 UnlockUnlock password Read/Write protected tag 0x70 Read Read Universal DataRead-only Universal Block Data Block 0x26 Table Create databaseRead/Write Create table 0x26 Table Add Prepare to add new Read/WriteRecords records to specified database table 0x26 Table Prepare to modifyRead/Write Update specified table Records records 0x26 Table Prepare toupdate Read/Write Update specified fields of Fields a table record 0x26Table Delete existing Read/Write Delete record from existing Recorddatabase table 0x26 Table Get Prepare to retrieve Read-only Dataspecified table records 0x26 Table Get Get total number of Read-onlyProperties records and size of each field 0x26 Table Retrieve block ofRead-only Read data from table, as Fragment initiated by Table Get Datacommand 0x26 Table Write block of data Read/Write Write into table, asFragment initiated by Table Add Records, Table Update Records, or TableUpdate fields command 0x26 Table Initiate table Read-only Query searchbased on specified criteria 0xE1 Beep Turns tag's beeper Read/WriteOn/Off On or Off 0x8E Delete Delete all allocated Read/Write Writeablewriteable data on Data tag

As discussed earlier, FIG. 5 shows only a single interrogator 12 and asingle tag 16, but it is possible for the tag 16 to carry oncommunications with more than one interrogator at the same time. Thesecurity shim 202 in the tag 16 maintains a table 279 that contains arecord for each interrogator with which the tag is currentlycommunicating. Each such interrogator is identified in the left columnof the table by its interrogator identification code 103. For each suchinterrogator, the right column of the table 279 contains a sequencenumber. In this regard, any given interrogator may transmit a series ofISO wireless messages to the tag 16, and each of these messages willcontain a sequence number, as discussed later. For each interrogator,the table 279 contains the sequence number from the message mostrecently received from that interrogator. Each time the tag receives amessage from that interrogator, the security shim 202 checks to seewhether the sequence number in the new message is greater than thesequence number currently stored in the table 297 for that interrogator.If the sequence number from the new message is equal to or less than thenumber in the table, then the security shim flags an error. Otherwise,the security shim accepts the new message, and replaces the sequencenumber in the table 279 with the sequence number from the new message.

Turning now to the security shim 201 in the interrogator 12, FIG. 5shows that the security shim 201 includes security officer credentials300, the credentials 300 including a security officer (SO) certificate301 containing a public key 302, and a private key 303. In this example,the SO certificate 301 corresponds to the root certificate 212 in thetag 16. In this regard, the public key 302 in the credentials 300 wasgenerated by concatenating the public key 213 of the root certificate212 with a public key corresponding to the private key 303 in thecredentials 300, and then signing the two concatenated keys with anot-illustrated private key corresponding to the public key 213. Thereare various ways in which the credential 300 can be introduced into theinterrogator 12. As one example, the credentials 300 could be introducedinto the interrogator 12 from a portable memory device 306 of a knowntype, such as a Universal Serial Bus (USB) flash memory device, or adevice of the type commonly known as a “smartcard”.

As discussed above, a protection suite is a combination of oneparticular encryption technique and one particular authenticationtechnique. The security shim 201 includes a list 311 of protectionsuites with which it is compatible. This protection suite list 311 isconceptually similar to the protection suite list 258 discussed earlierin association with the security shim 202 and FIG. 7. However, the setof protection suites identified in the list 311 may not necessarily beidentical to the set of protection suites identified in the list 258.However, both lists will include the NULL-NULL protection suite (FIG.7), as well as at least one other protection suite. In order for thesecurity shims 201 and 201 to exchange secure information, the lists 258and 311 will need to have at least one protection suite in common (otherthen the NULL-NULL protection suite).

The security shim 201 can generate and temporarily save a transient PKIpublic key 316 and a corresponding transient PKI private key 317, for apurpose discussed in more detail later. The security shim 201 alsoincludes encrypted storage 326 that may be empty, but that willtypically include one or more keyset tables, two examples of which areshown at 327 and 328. The keyset tables 327 and 328 are each similar tothe keyset table 270 discussed above, which contains four keysets271-274. For the purpose of this discussion, it is assumed that thekeyset table 327 is for the tag 16 and is thus identical to the keysettable 270 in the tag 16, and that the keyset table 328 corresponds to adifferent tag and thus is not identical to the keyset table 270 in tag16. However, there may be some commonality. For example, for reasonsdiscussed later, the keyset tables 327 and 328 may each contain aread-only keyset that is identical to the read-only keyset 272 in thetag 16. In the disclosed embodiment, the encryption technique used forprotecting the storage 326 is implemented with the Microsoft®Cryptographic API (CAPI) available on the Windows XP® and Windows CE®platforms (CE-CRYPTO). However, the encryption could alternatively beimplemented using any other suitable encryption platform.

As mentioned above, the storage 326 is encrypted. In order to providefor restricted access to this encrypted storage 326, the security shim201 maintains an access control section 336 that contains one or moreaccess control blocks each corresponding to a respective different user.For example, the control section 336 contains an access control block341 that has a user identification 342, a password 344, and anidentification 343 of one or more keyset tables 327-328 that thespecified user is authorized to use. Similarly, another access controlblock 346 has a user identification 347 that identifies a differentuser, a password 349 for that user, and an identification 348 of one ormore keyset tables 327-328 that the user is authorized to use. When, forexample, the user 342 provides the proper password 344 to the controlsection 336, each keyset table identified at 343 is obtained fromencrypted storage 326, decrypted, and then made available for use bythat user. Each user is permitted to freely change his or her password.Depending on the circumstances, and where appropriate, the securityofficer credentials 300 could also be maintained in protected storage,with access thereto controlled by the access control section 336.

As discussed earlier, the ISO 18000-7 standard does not have anyprovision for protecting ISO messages that are being transmitted.Moreover, this ISO standard does not have a built-in extension mechanismpermitting the definition of new and proprietary messages that conformto the standard but that could also use encryption or some othersecurity mechanism. Accordingly, the security shims 201 and 202implement a unique technique that complies with the ISO 18000-7 standardbut that provides strong security for ISO messages exchanged between theapplication program 101 in the interrogator and the application program111 in the tag 16. According to this technique, the actual original ISO18000-7 message is encrypted, then transmitted as a payload within atleast one other ISO 18000-7 message that is not encrypted and thateffectively serves as an envelope for the encrypted original message.This approach of embedding one ISO message within another is referred toherein as “tunneling” the encrypted message within the envelope message.

In more detail, and as discussed earlier, the ISO 18000-7 standardincludes commands that permit the interrogator 12 of FIG. 5 to accessISO tables in the database 116, such as the exemplary tables shown at117 and 118. The security shim 201 of the interrogator 12 uses the sameISO table commands for envelope messages, in order to access the virtualtables 251-253 in the security shim 201. Thus, if the applicationprogram 101 in the interrogator 12 has an ISO message that is to be sentto the application program 111 in the tag 16, the security shim 201intercepts this ISO message, adds encryption and authentication, andthen transmits it as the payload in at least one enveloping ISO messagecontaining a table write fragment command directed to one of the virtualtables 251 or 253.

As a practical matter, the encrypted and authenticated command willusually be too large to be sent as the payload of a single ISO message.This is due in part to the fact that, in the United States, the FederalCommunications Commission limits RFID infrastructure transmissions to 25msec out of any 100 msec time window, which effectively limits eachmessage to a length of about 100 bytes. Other countries and localauthorities may also impose constraints. Accordingly, since theencrypted and authenticated command will usually be too large to embedwithin a single ISO message, it will typically be broken into severalfragments, and then the fragments will be sent separately to the table251 or 253 in respective different enveloping messages that are each anISO table write fragment command. When all of the fragments have beenwritten into the virtual table 251 or 253, the security shim 202 willretrieve and reassemble the fragments, authenticate and decrypt theresult in order to recover the original ISO command, and then deliverthis ISO command to the application program 111.

Conversely, if the application program 111 in the tag 16 has an ISOmessage to send to the application program 101 in the interrogator 12,the security shim 202 can intercept this ISO message, add encryption andauthentication, fragment the message, and put the fragments into thevirtual table 252. The security shim 202 then notifies the security shim201, and the security shim 201 retrieves these fragments from thevirtual table 252 using successive ISO table read fragment commands.That is, the fragments are each transported as the payload of arespective envelope ISO message sent in response to an ISO table readfragment command. When the security shim 201 has retrieved all of thefragments from the table 252, it reassembles the fragments and thenauthenticates and decrypts the resultt, in order to recover the originalISO message. The security shim 201 then delivers the original ISOmessage to the application program 101. With reference to an earlierdiscussion herein of different categories of messages, the virtualtables 251 and 252 are used for P2P messages and responses, and thevirtual table 253 is used for broadcast table query messages.

FIG. 8 is a diagram showing in more detail how this can be accomplishedfor an ISO 18000-7 P2P message 401 that is generated by the applicationprogram 101. The command 401 has a standard ISO format, including ISOheaders 402, a command code 403, a length value 404, and data 405. Inorder to reduce the amount of information that must be encrypted andtunneled, some of the ISO headers 402 from the message 401 are dropped,in order to obtain a compressed version 411 of the ISO headers 402. Thisis shown in more detail in Table 4.

TABLE 4 ACTION HEADERS Header would be the same in both Packet Optionsthe tunneled message and the Tag Manufacturer ID envelope message. Omitfrom header Tag Serial Number of tunneled message, and then InterrogatorID recreate at receiving end by copying from the equivalent header inthe envelope message. Omit from header of tunneled Packet Lengthmessage, and then recreate at CRC receiving end by re-computing thevalue. To protect this information, Tag Status preserve this header inthe tunneled message, and set the corresponding header of the envelopemessage to always indicate a positive response from tag.

In this regard, if all of the ISO headers 402 were retained in thetunneled message, some of them would necessarily always be identical totheir counterparts in the ISO headers of the envelope message.Accordingly, these headers are omitted from the tunneled message. At thereceiving end, they are added back to the tunneled message by simplycopying the counterparts from the envelope message. As shown in Table 4,these include well-known ISO headers such as packet options, tagmanufacturer identification, tag serial number, and interrogatoridentification code. As another example, some of the ISO headers 402 ofthe tunneled message would not necessarily be identical to theircounterparts in the envelope message, but can be omitted from thetunneled message, and then recreated at the receiving end by recomputingthem. As shown in Table 4, these include the well-known ISO headers ofpacket length and CRC error checking.

One other ISO header of interest is the tag status header. This headeris maintained without change in the tunneled message. In theory, thecounterpart header in the envelope message could be identical. However,this status information in the header of the envelope message would thenbe publicly accessible to anyone within the transmission range of thetag. In order to avoid making this status information available toanyone other than the intended recipient(s), and as indicated in Table4, the ISO tag status header in each envelope message is unconditionallyset to indicate a positive status response from the tag, regardless ofwhether the tag status header in the tunneled message happens to bepositive or negative. Consequently, other parties who may look at theenvelope message will always see it reflecting a positive tag status,and will not know whether the actual tag response was positive ornegative.

Referring again to FIG. 8, reference numeral 412 identifies thecompressed version of the original ISO message 401. As between any pairof transmitting and receiving devices, a selected common protectionsuite will be in effect. As discussed above, that protection suite willidentify both an encryption technique and an authentication technique.In addition, between that same pair of devices, it will be possible toidentify an appropriate cryptographic keyset which, depending on thecircumstances, may be the security officer keyset 271, the read-onlykeyset 272, the read/write keyset 273, or the tag response keyset 274.The compressed ISO message 412 is encrypted using the appropriate keysetand using the encryption technique specified in the selected protectionsuite (unless the suite specifies NULL rather than an encryptiontechnique). The resulting encrypted information 416 is expressed in TLVformat.

Next, a cryptographic information TLV 417 is concatenated to theencrypted information TLV 416. The cryptographic information TLV is notitself encrypted, but indicates how the information 416 was encrypted,including an identification of the particular protection suite used andthe particular keyset used. FIG. 9 is an example of how thecryptographic information TLV 417 would appear if the selectedprotection suite was the AES-128-CTR-HMAC-SHA1-96 suite of FIG. 7. Thecryptographic information TLV 417 and the encrypted information TLV 416represent the protected payload 421 that is to be transmitted. Thispayload will usually be too long to be sent in a single ISO envelopemessage. Therefore, the protected payload 421 is typically fragmented ina way that minimizes the number of fragments that must be separatelysent. In the example shown in FIG. 8, this results in three fragmentsFRAG1, FRAG2, and FRAG3. Each fragment is then expressed in TLV form, inorder to obtain three fragment TLVs F1, F2, and F3, which will each besent in a respective separate ISO envelope message.

FIG. 10 is a diagram showing four ISO envelope messages 436-439, each ofwhich contains a table write fragment command directed to the virtualtable 251 in FIG. 5. The ISO messages 436-438 each include a respectiveone of the fragment TLVs F1, F2, and F3. The fourth ISO message 439contains a TLV 441 with authentication information. The authenticationinformation 441 includes a sequence number, and also a checksum valuethat will be explained later. With respect to the sequence number, andaccording to the ISO 18000-7 standard, the original ISO message 401(FIG. 8) contains a sequence number. This sequence number from theoriginal ISO message 401 is the sequence number in the authenticationinformation 441 of the ISO message 439.

It is well known in the art how, under the ISO standard, several ISOtable write fragment commands such as those shown at 436-439 in FIG. 10can be used to write respective fragments of related information into atable such as the P2P Request Table 251 in FIG. 5. Therefore, thistechnique is not described in detail here. Instead, it is discussed onlybriefly, to an extent that facilitates an understanding of aspects ofthe present invention.

To initiate the process, the security shim 201 of the interrogator 12transmits to the tag 16 a not-illustrated ISO table update recordcommand, which serves as a request for permission to update the table251. The security shim 202 of the tag 16 then sends back an ISO messagecontaining a value that is commonly referred to as an operationinitiation token. This and other similar tokens are random values, whichadds to the security of a given message exchange. The interrogator 12then sends the ISO message 436 in order to put the fragment TLV F1 inthe table 251, and the tag responds by transmitting an ISO message withan operation continuation token. The interrogator then transmits the ISOmessage 437, and receives back an ISO message with a furthercontinuation token. The interrogator then transmits the ISO message 438,and receives back another ISO message with a continuation token. Theinterrogator then transmits the ISO message 439. The checksum in theauthentication TLV 441 of the message 439 is computed by concatenatingall messages that have been exchanged between the interrogator and thetag, beginning with the initial table update record message, andincluding all messages sent by the tag with continuation tokens, as wellas the final message 439, except for the authentication portion of thefinal message 439. This authentication checksum is computed according tothe authentication technique indicated in the protection suiteidentified by the cryptographic information TLV 421 (FIG. 8), and usingthe appropriate keyset.

When all of the ISO 18000-7 messages 436-439 have been received by thetag and are present in the table 252, the security shim 202 in tag 16takes the sequence number from the authentication information 441 in thefinal message 439, and compares that sequence number to the sequencenumber currently stored in the table 279 for the interrogator 12. If thesequence number from the message 439 is less than or equal to thesequence number currently stored in the table 279, the security shim 202flags an error. Otherwise, the security shim 202 replaces the sequencenumber in table 279 with the new sequence number from the authenticationinformation in message 439. Then, the security shim 202 locally computesits own authentication checksum, and compares it to the authenticationchecksum received in the authentication information 441 of the message439, in order to confirm that the checksums are identical. If the tagdetects an error at any time during the exchange of messages, then thetag sends the interrogator an ISO 18000-7 error message of a known type.Upon receiving this error message, the security shim 201 in theinterrogator 12 discontinues the transmission, and notifies theapplication program 101 about the error.

On the other hand, if the security shim 202 in the tag has notidentified any errors, and if the authentication checksum is verifiedsuccessfully, then the security shim 202 (1) reassembles the fragmentsF1, F2, and F3, (2) decrypts this reassembled information, and (3)replaces or recreates the missing ISO headers, in order to thereby endup with the original message that is shown in 401 at FIG. 8. Thesecurity shim 202 then delivers this ISO message 401 to the applicationprogram 111 in the tag 16.

In response to the command in the ISO message 401, the tag will send aresponse back to the interrogator. This response is handled in a mannerthat is only slightly different from the manner described above for themessage 401. In particular, the application program 111 in the tag 16formulates an ISO message containing its response. Then, in a mannersimilar to that shown in FIG. 8, the security shim 202 compresses theISO headers, encrypts the result, adds a cryptographic information TLV,and puts the resulting fragment TLVs in the P2P Response Table 252. Thetag then sends the interrogator an ISO message containing a specialtoken that indicates to the security shim 201 in the interrogator that asecure response is ready, and waiting to be retrieved. This prompts theinterrogator to read the fragment TLVs from the table. For the mostpart, the manner in which this is carried out is known under the ISO18000-7 standard, and the retrieval of the fragments is thereforedescribed only briefly here.

In response to the token from the tag, the interrogator sends back anISO message containing an ISO table get data command, and the tagresponds with an operation initiation token that is a random value. Theinterrogator then sends an ISO table read fragment command to the tag,and the tag sends back an ISO message containing the first fragment anda further random token. The interrogator then requests the nextfragment, and so forth. After the tag sends the last actual fragment,and in response to the next table read fragment request from theinterrogator, the tag sends an ISO message that contains a sequencenumber and an authentication checksum. The authentication checksum iscomputed by concatenating all messages exchanged between theinterrogator and tag, beginning with the message containing the initialtoken sent by the tag upon completing preparation of its response, andending with the tag's final message containing the authenticationchecksum, except for the checksum itself. During the exchange ofmessages that transmit the tag's response to the interrogator, if thetag happens to detect any error, the tag sends the interrogator an ISO18000-7 error message. The interrogator then discontinues the exchange,and notifies the application program 101 of the error.

When the interrogator receives the message with the tag's authenticationchecksum, the interrogator independently computes an authenticationchecksum, and compares it to the authentication checksum received fromthe tag, in order to verify that they are identical. If the tag'sauthentication checksum is verified successfully, then the security shim201 in the interrogator reassembles the various fragments it retrieved,decrypts the result, and replaces or recreates the missing ISO headers,in order to thereby end up with the ISO message that was the tag'sresponse. The security shim 201 then passes this ISO message to theapplication program 101 in the interrogator.

The foregoing explanation relates to an exchange that began when theinterrogator 12 decided to send an ISO P2P message to a single specifictag 16. However, as discussed earlier, the interrogator 12 can alsobroadcast to a plurality of different tags an ISO 18000-7 broadcasttable query message having embedded within it a protected broadcasttable query. In particular, the embedded message is a table querydirected to one of the ISO tables 117-118 that is present in each of thetags, and is sent in an envelope message that is a table query to theBroadcast Request Table 253. The original command is compressed,encrypted and fragmented in a manner similar to that shown in FIG. 8,with two differences. The first difference is that the encryption isalways carried out using the read-only keyset 272 of the tags to whichthe message is directed. It will be noted that these tags all need toshare the same read-only keyset 272, but the other keysets 271, 273 and274 can all be different and unique in each tag. The second differencerelates to the compressed ISO headers in the tunneled message.

More specifically, the ISO headers of the tunneled message include apacket options field, which in turn contains a communication type bit.When the security shim 201 intercepts the message prepared by theapplication program 101, this communication type bit will be a binary“0”, to indicate that the communication is a broadcast communication.But during the process of compressing the ISO headers, the security shim201 in the interrogator generates a random bit that is referred to hereas the collection query random bit “CQRB”. The security shim 201 savesthe CQRB for later use, and also stores this bit in the communicationtype bit of the packet options field in the compressed ISO headers, inplace of the binary “0” that the interrogator 12 put there.

FIG. 11 is a diagram showing how the fragments of the original tablequery message are sent in several successive ISO table query messages446-449 that are directed to the Broadcast Request Table 253 in thetags. The transmission of the messages 446-449 conforms to the ISO18000-7 standard, and is therefore discussed here only briefly. Theinterrogator 12 successively transmits each of the messages 446-449,without receiving any response from any of the multiple tags.

The final message 449 contains authentication information 456, includinga final sequence number, and an authentication checksum. The checksum iscomputed by concatenating all of the information in all of the messages446-449, except for the checksum itself. The checksum is computedaccording to the message authentication algorithm of the protectionsuite identified in the cryptographic information TLV that is embeddedwithin the fragment F1 in the first message 446, using the read-onlykeyset 272.

As each tag 16 is receiving the messages 446-449, the tag's securityshim 202 monitors the ISO 18000-7 query collection command sequencenumbers in those messages, using the table 279 (FIG. 5). In particular,if a received sequence number is less than or equal to the sequencenumber currently stored in the table 279 for interrogator 12, thesecurity shim flags an error. Otherwise, the security shim 202 replacesthe sequence number in the table 279 with the new sequence number. Whenthe messages 446-449 have all been properly received, the tag locallycomputes its own authentication checksum for these messages, andcompares it to the authentication checksum received in the final messagefrom the interrogator, in order to verify that they are identical. Ifthis authentication fails, then the tag discards the messages. But ifthe sequence and authentication information is all correct, then thesecurity shim 202 in the tag decrypts and reassembles the original tablequery message. As part of the reassembly of the original message, and inparticular as the compressed ISO headers are reconstructed, the securityshim 202 saves the received CQRB bit for later use, and sets thecommunication type bit of the packet options field in the reconstructedheaders to a binary “0”. The security shim 202 then passes thereconstructed message on to the application program 111 of the tag.

In due course, and in a similar manner, the interrogator will transmitto all the tags a broadcast message containing a collection querycommand. When the security shim 202 in the tag passes this message onthe tag's application program 111, the application program 111 willgenerate an ISO 18000-7 compliant reply message. The ISO headers of thismessage contain a tag status field, which in turn includes a “servicebit” that represents tag's reply to the query. This ISO message isintercepted by the security shim 202 in the tag, and the security shimperforms an exclusive or (XOR) between the service bit and the CQRB bit,and substitutes the result for the service bit. Then without furtherchange or tunneling, the security shim 202 transmits the modified ISOmessage to the interrogator 12. Although this ISO message is notencrypted or tunneled, the true value of the service bit cannot bedetermined.

When the security shim 201 in the interrogator 12 receives this ISOmessage, it takes the modified service bit from the tag status field inthe ISO headers, and carries out an exclusive or (XOR) between thismodified service bit and the previously-saved CQRB bit, in order tothereby recover the original value of the service bit. The security shimsubstitutes this recovered original service bit for the modified servicebit in the ISO headers of the message, and then passes the message on tothe application program 101 in the interrogator.

As mentioned earlier, the ISO 18000-7 standard has provisions for theinterrogator 12 to transmit to multiple tags a broadcast request for auniversal data block (UDB), expecting that each tag will then prepareand return a UDB. In addition, the ISO 18000-7 standard has provisionsfor the interrogator 12 to transmit to one selected tag a P2P requestfor a UDB, and then only the selected tag will prepare and return a UDB.For the purpose of this discussion, it is assumed that, in the disclosedembodiment of FIG. 5, the application program 101 in the interrogator 12generates the broadcast ISO message for UDB collection. The securityshim 201 does not apply any encryption or other form of security to thatmessage. Instead, the security shim 201 transmits the message at 28without any change. On the other hand, when each tag 16 responds, thetag's security shim 202 encrypts certain information in the UDB datathat is being returned, as briefly mentioned earlier. This is explainedin more detail below, with reference to FIG. 12.

More specifically, FIG. 12 is a diagram showing an ISO message 501 thatcontains one or more protected blocks 506 of UDB data, and also one ormore authentication blocks 508. The UDB blocks 506 and theauthentication blocks 508 are provided in pairs. That is, each UDB block506 is associated with a respective different authentication block 508.As discussed earlier in association with FIG. 5, the security shim 202in the tag maintains a UDB recipient list 226, and in the disclosedembodiment this list contains at least two UDB access control objects227 and 231. The UDB message 501 contains a respective UDB block 506 foreach access control object in the list 226, and also contains acorresponding authentication block 508 for each access control object.

One of the UDB blocks 506 is shown in more detail in the upper portionof FIG. 12. It includes a section 516 of UDB data, and this section 516contains one or more data elements that are each configured in a TLVformat. As discussed above in association with FIGS. 5 and 6, theapplication program 111 responds to a UDB request by collecting all ofthe data elements in the tag that could possibly be returned in reply toa UDB request. As discussed in association with FIG. 6, each UDB accesscontrol object in the list 226 includes UDB access information, such asthat shown at 229 or 233 in FIG. 6. The UDB access information defineswhich of the various UDB data elements the associated recipient isentitled to receive. In this example, as discussed above in associationwith FIG. 6, the UDB access information 229 for one recipient isdifferent from the UBD access information 233 for another recipient.Thus, the section 516 in one UDB block 506 will contain one set of dataelements specified by one recipient's UDB access information 229,whereas a different UDB block 506 will contain a different set of dataelements identified by the other recipient's UDB access information 233.Moreover, as discussed above in association with FIG. 6, the UDBprotection status information 241 will be used to determine whether ornot each data element in each UDB block 506 will be protected byencryption.

In FIG. 12, each UDB block 506 includes a field 521 that contains a UDBsequence number in TLV format, and a further field 522 that contains tagidentification information in TLV format. The tag identificationinformation at 522 includes both the tag manufacturer identification 122(FIG. 5) and also the tag serial number 124. The fields 516, 521 and 522are encrypted by the security shim 202, using a randomly generatedencryption key that is different for each UDB block 506. The randomencryption key is then encrypted using the respective public key 228 or232 (FIG. 5) of the intended recipient of the particular UDB block 506,and this encrypted key is placed in a field 524 of the block 506, in TLVformat. The recipient of the block will have a private key correspondingto the public key 228 or 232, and will thus be able to decrypt the field524 in order to retrieve the random key. The recipient can then use thisrandom key to decrypt and authenticate the fields 516 and 521-522.

Each UDB block 506 also includes several other fields 526-530. Thefields 526 and 527 are type and length information for the TLV format ofthe entire UDB block 506. The field 528 is a recipient identification inTLV format. In the disclosed embodiment, the recipient identification isthe “distinguished name” from the particular recipient's X.509certificate 225 or 230 (FIG. 5). The field 529 contains cryptographicinformation that will be needed by the recipient in order to decrypt theencrypted portions of the UDB 506. The field 530 contains authenticationinformation in the form of a cryptographic checksum of all of the otherfields (A1) in that particular UDB block 506, computed according to theauthentication technique specified by the protection suite identified inthe cryptographic information 529, and using the random key that appearsin encrypted form in field 524.

The lower portion of FIG. 12 shows one of the authentication blocks 508in greater detail. In the disclosed embodiment, each authenticationblock 508 includes six fields 541-546. The field 546 contains anauthentication checksum that is based on all information (A2) in themessage 501 other than the authentication blocks 508, as well aseverything (A3) in this particular authentication block 508, other thanthe field 546 itself. The fields 541 and 542 contain type and lengthinformation for the TLV format of the entire authentication block 508.The field 543 contains a recipient identification which is the same asthat in the field 528 of the corresponding UDB block 506. The field 544contains a cryptographic information TLV of the type shown in FIG. 9,part of which is an identification of the authentication method used togenerate the authentication checksum in the field 546. Theauthentication checksum is generated with a random key. This random keyis then encrypted using the public key 228 or 232 from the digitalcertificate of the intended recipient, and placed in a field 545 of theauthentication block 508.

The ISO message 501 of FIG. 12 containing UDB information is not itselfencrypted and/or tunneled, because each of the UDB blocks 506 in thismessage 501 have portions that have already been separately encrypted.If the UDB blocks 506 and authentication blocks 508 have a collectivesize that is too large to be sent in a single ISO 18000-7 message, thenthis UDB “payload” is broken up into two or more segments in a mannerspecified by the ISO 18000-7 protocol, and the segments are sent inseparate messages. Since persons skilled in the art are familiar withhow, under the ISO 18000-7 standard, a UDB payload is to be segmentedand how the segments are to be separately transmitted, that process isnot shown and described in detail here. It is assumed for the sake ofthis discussion that the UDB payload is not sufficiently large torequire segmentation. Consequently, the message shown at 501 will bewirelessly transmitted at 28 in the format shown at 501.

The security shim 201 in the interrogator 12 will receive the message501, and then pass it on without change to the application program 101,which will then forward it on to each of the intended recipients. Forexample, assume that the users 22 and 23 in FIG. 5 respectivelycorrespond to the UDB access control objects 227 and 231 in the tag 16.The application program 101 would forward the entire message 501 throughthe network 18 to each of the users 22 and 23. User 22 will have aprivate key that corresponds to the public key 228 in the certificate225, and will thus have cryptographic access to one UDB block 506 andthe associated authentication block 508. The user 23 will have adifferent private key that corresponds to the public key 232 in thecertificate 230, and will thus have cryptographic access to a differentUDB block 506 and the associated authentication block 508. The user 22will be able to verify the two authentication checksums 530 and 546 inits pair of blocks 506 and 508, and the user 23 will be able toseparately verify the authentication checksums in the fields 530 and 546of its pair of blocks 506 and 508.

With reference to FIG. 5, when the tag 16 is first being commissioned,the tag owner will install the security officer access control object210 that contains the root certificate 212. At this point, the list 211will not contain any other certificates, and the list 226 will be empty.Further, the cryptographic keysets in table 270 will not yet be defined.

After the tag owner installs the access control object 210 containingthe root certificate 212, the next step in the commissioning procedureis for a security officer (for example the user 21) to authenticatehimself to the tag, for the purpose of defining keysets 271-274 thatwill allow the security shims 201 and 202 to exchange protectedinformation in the manner described above. The first task that thesecurity officer must complete is to establish the security officerkeyset 271, in a manner explained in more detail below. As this iscarried out, the security shim 201 transmits information to the tag 16,using table write fragment commands that store information fragments inthe P2P Request Table 251, and using table read fragment commands toread information fragments from the P2P Response Table 252, in a mannergenerally similar to that already described above. One difference isthat, with reference to FIG. 7, the protection suite used for theseparticular exchanges is the NULL-NULL protection suite. In other words,the security shims 201 and 202 exchange P2P ISO messages without usingany encryption or authentication. This is because the exchange ofinformation between the security officer and the tag in this particularsituation is configured to be self-protecting.

In more detail, FIG. 13 is a flowchart showing how a security officercan, through the interrogator 12, authenticate to the root certificate212 in the tag 16, determine a protection suite, and establish thesecurity officer keyset 271. This procedure begins at 571. In block 572,the security officer has the security shim 201 generate a transientrandom public key and a transient random private key, which arerespectively shown at 316 and 317 in FIG. 5. The security officer alsohas the interrogator's security shim 201 generate a random number RI.The security officer then has the security shim 201 transmit selectedinformation to the tag at 573, using the tunneling technique discussedabove in association with FIGS. 8 and 10, but with the NULL-NULLprotection suite (FIG. 7). The information transmitted at 573 includesthe security officer's digital certificate 301 (including its embeddedpublic key 302), the list 311 of protection suites supported by thesecurity shim 201 in the interrogator, the transient public key 316, andthe random number RI.

Upon receiving this information, the security shim 202 in the tagcompares the protection suite list 311 from the interrogator 12 to itsown protection suite list 258, in order to determine whether or notthere is at least one protection suite common to both lists (other thanthe NULL-NULL protection suite). If there is no common protection suite,then the security shim 202 terminates its participation in thetransaction, as indicated at 577. Otherwise, the security shim 202proceeds to block 578, where it checks to see if the digital certificate301 from the security officer is valid. For example, the digitalcertificate 301 specifies a range of dates within which it is valid, andthe security shim 202 can verify that the current date maintained in thetag using clock 52 (FIG. 1) is within the range of dates specified bythe certificate. The security shim 202 can also check the integrity ofthe certificate by verifying the issuer's signature, using the publickey 302 from the security officer's digital certificate 301. If thesecurity shim 202 determines that there is a problem with the digitalcertificate 301 of the security officer, the security shim terminatesthe transaction at 577.

Otherwise, at block 581, the security shim 202 selects one protectionsuite that is common to both of the lists 311 and 258 (other than theNULL-NULL protection suite). The security shim 202 also generates arandom number RT. Then, the security shim 202 uses the transient publickey 316 received from the interrogator at 573 to encrypt both the randomnumber RT and an identification of the selected protection suite. Then,at 582, this information is transmitted back to the security shim 201 inthe interrogator 12. The transfer of this information is effected byputting the information in the P2P Response Table 252, and thennotifying the security shim 201 in the interrogator, so that thesecurity shim 201 can retrieve this information from the table 252 inthe manner discussed earlier. The protection suite selected by the tagat block 581 is not yet in effect, and so all of the exchanges shown inFIG. 13 are carried out using the NULL-NULL protection suite.

At block 583, the security shim 201 in the interrogator decrypts theinformation that it received at 582 from the security shim 202 in thetag. The security shim 201 then computes an authentication value HI,according to the authentication technique identified in the protectionsuite selected by the security shim 202 in the tag, and using the randomkey RT received from the security shim 202. In addition, the securityshim 201 generates a further random number SALT. The security shim 201concatenates the authentication value HI and the random number SALT, andsigns the concatenated result with the private key 303 associated withthe digital certificate 301. This signed information is then transmittedat 584 to the security shim 202 in the tag. Upon receiving thisinformation, the security shim 202 uses the public key 302 that itreceived in the security officer's certificate 301, and verifies thesignature in the information received at 584. If the signature is notvalid, then the security shim 202 ends the transaction at 577.

Otherwise, the security shim 202 in the tag proceeds to block 587, whereit locally computes its own authentication checksum HT, and thencompares this to the authentication checksum HI from the interrogator,in order to verify they are identical. If they are different, then thesecurity shim 202 terminates the transaction at 577. Otherwise, thesecurity shim 202 proceeds to block 588, where it generates the securityofficer (SO) keyset 271. In this regard, the various messages receivedfrom the interrogator each include the interrogator identification code103 (FIG. 5), and of course the security shim 202 has also received fromthe interrogator's security shim 201 the random numbers RI and SALT. Thetag's security shim 202 concatenates (1) the random number SALT, (2) therandom number RT, (3) the random number RI, (4) the tag serial number124, (5) the tag manufacturer identification 122, and (6) theinterrogator identification 103. The security shim 202 then uses thisconcatenated information as an input to well-known algorithm referred toin the art as PBKDF2 (Password-Based Key Derivation Function), in orderto derive material that is used as the security officer keyset 271. Thiskeyset includes both an encryption key, and an authentication key. Thetag's security shim 202 saves this keyset at 271. Next, at 591, thesecurity shim 202 sends to the interrogator's security shim 201 amessage that instructs the security shim 201 to change protectionsuites. The security shim 202 then switches from use of the NULL-NULLprotection suite to use of the protection suite selected at block 581.

When the interrogator's security shim 201 receives the message sent at591, the it already has in hand all of the same information used by thetag's security shim 202 to generate the security officer keyset.Accordingly, at block 592, the interrogator's security shim 201separately derives and saves the security officer keyset 271 in the samemanner that this keyset was derived by the tag's security shim 202, inparticular by concatenating the same information and then using the samePBKDF2 function. The security shim 201 in the interrogator then switchesfrom use of the NULL-NULL protection suite to use of the protectionsuite selected by the tag at block 581. Thereafter, any furthercommunications between the security officer and the tag will still beeffected with tunneled messages routed through the P2P Request andResponse Tables 251 and 252, but using the security officer keyset 271,and the protection suite selected at 581.

In this regard, the security officer can use the selected protectionsuite and the security officer keyset 271 to send the tag's securityshim 202 a read-only keyset, which the security shim 202 stores at 272for later use. As mentioned earlier, the security officer will normallyprovide this same read-only keyset to many different tags, so thatbroadcast messages sent to multiple tags can contain informationencrypted with this keyset, and the various tags will each be able todecrypt the encrypted information.

The security officer can also use the security officer keyset 271 andthe selected protection suite to instruct the tag's security shim 202 togenerate a read/write keyset. The security shim 202 will then generaterandom numbers for use as the read/write keyset, store the read/writekeyset at 273, and send the read/write keyset 273 back to theinterrogator's security shim 201. Further, the security officer can usethe security officer keyset 271 and the selected protection suite toinstruct the tag's security shim 202 to generate a tag response keyset.The security shim 202 then generates random numbers for use as the tagresponse keyset, stores the tag response keyset at 274, and sends thetag response keyset to the interrogator's security shim 201.

Using the security officer keyset and the selected protection suite, thesecurity officer can also instruct the tag's security shim 202 toinvalidate all of the keysets that are currently stored in the table270, including the security officer keyset 271. This is a two-stepprocedure. First, the security officer sends a message instructing thetag's security shim 202 to invalidate all of the local keysets stored intable 270. The security shim 202 then sends back a message containing arandom number. The interrogator's security shim 201 then increments therandom number by 1 modulo 2⁹⁶, and sends the result to the tag'ssecurity shim 202. The security shim 202 checks the incremented valueand, if it is correct, the security shim 202 invalidates all of thekeysets stored in the table 270.

Using the security officer keyset 271 and the selected protection suite,the security officer can optionally install additional access controlobjects in the tag. For example, the security officer can optionallyinstall one or more additional security officer access control objectsin the list 211, such as the certificate shown in broken lines at 220.In addition, the security officer can optionally install one or more UDBaccess control objects in the list 226, such as those shown in brokenlines at 227 and 231. When the security officer installs an additionalaccess control object 220 in the list 211, the tag access rights forthat additional object cannot be greater than the tag access rights ofthe existing access control object that was used to create the securityofficer keyset being used by the security officer.

The security officer can view access control objects already installedon the tag, by sending a message that requests a list of the installedobjects. In response, the tag will return a list containing the “subjectname” field from the digital certificates in each of the access controlobjects currently installed in each of the lists 211 and 226 on the tag.

The security officer can use the security officer keyset 271 and theselected protection suite to optionally remove any of the access controlobjects that are already installed in either of the lists 211 and 226,except for the access control object 210 containing the root certificate212. The procedure for removing an access control object is similar tothat for invalidating the keysets in table 270. In particular, thesecurity officer sends a request that a particular access control objectbe deleted, and the security shim 202 in the tag returns a randomnumber. The security officer then increments the random number by 1modulo 2⁹⁶, and returns the result. The tag's security shim 202 checksthe incremented result and, if it is correct, the security shim deletesthe specified access control object.

The tag 16 maintains a not-illustrated log of all attempts toauthenticate to or access the tag, including not only successfulattempts, but also unsuccessful attempts.

FIG. 14 is a diagram showing three different sites 701, 702 and 703 thatare geographically spaced from each other. For the purpose of thisdiscussion, it is assumed by way of example that the site 701 is amanufacturer's facility, that the site 702 is a shipping hub, and thatthe site 703 is a customer's facility. Products manufactured at the site701 are loaded into a container 704, and the previously-described tag 16is physically attached to the container 704. The container 704 with thetag 16 will be shipped by truck from the manufacturer's site 701 to theshipping hub 702, where the container 704 will be switched from theoriginal truck to a further truck. The container 704 with the tag 16will then be transported by the further truck from the site 702 to thecustomer's site 703, where the products will be removed from thecontainer.

The site 701 has an interrogator 706, the site 702 has an interrogator707, and the site 703 has an interrogator 708. The interrogators 706-708are each identical to the interrogator 12 that was described earlier,but have been given different reference numerals in FIG. 14 so that theycan be separately identified. The interrogators 706-708 are operativelycoupled by the network 18, which has already been discussed above. Thesite 701 has a person 711 who serves as a security officer (SO), thesite 702 has a person 712 who serves as a security officer, then thesite 703 has a person 713 who serves as a security officer. Withreference to FIGS. 5 and 14, it is assumed for the purpose of thisdiscussion that, when the tag 16 is attached to the container 704 atsite 701, the access control object 210 containing root certificate 212has already been installed in the tag 16 by the tag owner. It is alsoassumed that, at that time, no other access control objects have beeninstalled in either of the lists 211 and 226, and that the keysets intable 270 have not yet been established.

The security officer 711 at the site 701 uses the interrogator 706 tovalidate to the tag 16, in the manner discussed above in associationwith FIG. 13. As explained above, this results in the selection of aprotection suite (FIG. 7), and the generation of the security officerkeyset 271. The security officer 711 then proceeds to interact with thetag in order to also establish the read-only keyset 272, the read/writekeyset 273 and the tag response keyset 274. The security officer 711then distributes the read-only keyset 272 and the tag response keyset274 to other not-illustrated persons at the site 701 who have operatorstatus (Table 2). Further, the security officer 711 distributes theread-only keyset 272, the read/write keyset 273 and the tag responsekeyset 274 to other not-illustrated persons at the site 701 who haveadministrator status. This distribution of keysets will normally occurelectronically under a secure protocol, but in some situations thekeysets may be distributed in some other manner. For example, the binaryvalues in a keyset could be converted into a printable format (forexample base 64 or base 32), and then printed out. The printedinformation could then be given to a user (such as the user 24 inFIG. 1) who would then manually enter the information into aninterrogator (for example using the manual keypad 66 of the handheldinterrogator 13).

The security officer 711 then installs two additional security officeraccess control objects in the list 211. One of these is the accesscontrol object 220. If the tag receives a communication from thesecurity officer 712 at site 702, the tag can use the certificate 221 inthe object 220 to authenticate the security officer 712. The thirdaccess control certificate in the list 211 is not shown in FIG. 5, butif the tag receives a communication from the security officer 713 atsite 703, the tag can use the third access control object toauthenticate the security officer 713. The security officer 712 at site702 will be provided with a security officer certificate thatcorresponds to the certificate 221 in the access control object 220, andthat is similar in type to the security officer certificate 301. Thesecurity officer 713 at site 703 will be provided with a furthersecurity officer certificate that corresponds to the certificate in thethird access control object in the list 211, and that is similar in typeto the security officer certificate 301.

The security officer 711 may also optionally install one or more UDBaccess control objects in the list 226, for respective UDB recipients.For the purpose of the exemplary situation being discussed here, it isassumed that the security officer 711 installs the UDB access controlobject 227, and that the certificate 225 in this object indicates a UDBrecipient 721 is to receive UDB information. Further, it is assumed thatthe security officer 711 installs the UDB access control object 231, andthat the certificate 230 in this object indicates that a UDB recipient722 is to receive UDB information. In this example, the UDB recipients721 and 722 are each a person or entity that does not fall within any ofthe four security levels listed in Table 2.

The keysets in table 270 can remain in effect so long as the tag 16remains at the site 701, unless local security policy specifies thatthey should be invalidated and replaced sooner. It is assumed for thesake of this discussion that the keysets in table 270 are permitted toremain in effect so long as the tag is at the site 701. While the tag 16is at the site 701, persons with operator status or administrator statuscan interact with the tag 16. For example, a person with administratorstatus may install on the tag 16 a manifest (inventory) of the productsthat have been loaded into the associated container 704. Eventually,when the truck carrying the container 704 and tag 16 is ready to departthe site 701, the security officer 711 uses the security officer keyset271 to instruct the tag 16 to invalidate all four of the keysets 271-274that are stored in table 270. Alternatively, the departure gate from thesite 701 could be a choke point having an interrogator or reader thatautomatically invalidates the keysets in table 270 on every tagdeparting the site 701.

The container 704 with tag 16 will then be transported by the truck tothe shipping hub site 702. After the container 704 and tag 16 arrive atthe site 702, the security officer 712 at that site will use theinterrogator 707 to authenticate to the certificate 221 in the tag 16,using the technique described above in association with FIG. 13. Thiswill result in the selection of a protection suite for use at the site702, and also the creation of a unique security officer keyset that willbe stored in the tag at 271, and used by the security officer 712 tocommunicate with the tag. The security officer 712 will then establishadditional keysets 272-274 for use within the site 702, and willdistribute these keysets to other persons at the site 702 who haveoperator or administrator status with respect to the tag 16.

Assume that, while the tag 16 is at the site 702, the tag receivesthrough the interrogator 707 an ISO message that instructs the tag 16 toprepare and transmit UDB information. The tag 16 will then create andtransmit a message of the type shown at 501 in FIG. 12, including oneUDB block 506 that is based on the access control object 227 andintended for the UDB recipient 721, and a further UDB block 506 that isassociated with the access control object 231 and intended for the UDBrecipient 721. The message 501 will also include two authenticationblocks 508, each of which is associated with a respective one of the twoUDB blocks 506. Interrogator 707 will forward the message 501 throughthe network 18 to each of the UDB recipients 721 and 722.

The UDB recipient 721 has a private key that corresponds to the publickey 228 in the UDB certificate 225. The recipient 721 uses that privatekey to decrypt the random keys received at 524 and 545 in the UDB block506 and associated authentication block 508 that are intended for theUDB recipient 721. The recipient 721 can use the authenticationinformation to authenticate the received message, and can access the UDBdata 516. In a similar manner, the UDB recipient 722 has a private keythat corresponds to the public key 232 in the UDB certificate 230. TheUDB recipient 722 uses that private key to decrypt the random keysreceived at 524 and 545 in the UDB block 506 and associatedauthentication block 508 that are intended for the recipient 722. TheUDB recipient 722 can use the authentication information to authenticatethe received message, and can access the UDB data 516.

In this manner, UDB recipient 721 can access the UDB data in the message501 for which the recipient 721 is the intended recipient, but not UDBinformation intended for any other recipient, such as the UDB recipient722. Similarly, the UDB recipient 722 can access the UDB data in themessage 501 for which the recipient 722 is the intended recipient, butnot UDB information intended for any other recipient, such as the UDBrecipient 722. It should also be noted that, as the message 501 withencrypted UDB information is passing through the network 18 from site702 to the UDB recipients 721 and 722, the message 501 may pass throughcomputers or systems of third parties, but those third parties will notbe able to access or view any of the encrypted UDB information that ispresent within the message.

After the container 704 with the tag 16 has been shifted from theoriginal truck to a further truck at the site 702, and when the furthertruck is preparing to depart the site 702, the security officer 712 willinstruct the tag 16 to invalidate all of the keysets that are stored onthe tag in table 270. Alternatively, the departure gate from the site702 could be a choke point having an interrogator or reader thatautomatically invalidates the keysets in table 270 on every tagdeparting the site 702.

Eventually, the further truck carrying the container 704 and the tag 16will arrive at the customer's site 703. The security officer 713 at thatsite will use the interrogator 708 to authenticate to the third(not-illustrated) certificate in the list 211, in order to select aprotection suite and establish a security officer keyset that the tagstores at 271. The security officer 713 will also establish all theadditional keysets 272-274 for use at the site 703, and distribute theseadditional keysets to appropriate persons at site 703. After thecontainer 704 has been unloaded, the tag 16 will be removed from thecontainer. A person with administrator status may remove informationfrom the tag that is viewed as sensitive or confidential, such as themanifest or inventory for the container 704. The security officer 713will then instruct the tag to invalidate all the keysets stored in table270. The security officer 713 may also remove one or more of theadditional access control objects that are installed in the list 211 orin the list 226, except that the security officer 713 cannot remove theaccess control object 210 containing the root certificate 212. When thetag is eventually returned to the tag owner, the tag owner can removeand/or replace the access control object containing the root certificate211.

The RFID system 10 of FIGS. 1 and 5-14 provides a high level of securityfor information exchanged between an interrogator and a tag, as well asinformation maintained in the tag, while remaining fully compatible withthe existing ISO 18000-7 standard. Moreover, the security provisions arestructured so that they can be implemented with just a firmware upgradein existing interrogators and tags, without any hardware change.Consequently, many existing interrogators and tags can be relativelyeasily and cheaply upgraded, while avoiding the expense of completelyreplacing them, or the expense and logistical problems involved inimplementing hardware alterations. Avoiding the need for extra hardwarein tags also avoids the increased power consumption that would beassociated with added hardware, and thus helps to avoid a reduction inthe period of time that a tag can operate before its battery needs to bechanged or recharged.

Although selected embodiments have been illustrated and described indetail, it should be understood that a variety of substitutions andalterations are possible without departing from the spirit and scope ofthe present invention, as defined by the claims that follow.

What is claimed is:
 1. A radio frequency identification (RFID) tag,comprising: a receiver configured to receive wireless communicationsincluding an authentication request, the authentication requestincluding a first digital certificate, a transient public key, a randomnumber, and a list identifying at least one authentication technique;and a memory, the memory storing a firmware module, the firmware moduleincluding a security shim, the security shim being configured to: selectan authentication technique from the list identifying at least oneauthentication technique; determine whether the first digitalcertificate is in a trust relationship with a second digital certificatethat is different from said first digital certificate and that is storedin the memory; generate a second random number; and encrypt, using thepublic key, said second random number and an authenticationidentification identifying the selected authentication technique; and atransmitter configured to wirelessly transmit an authenticationresponse, the authentication response including the encrypted secondrandom number, the encrypted authentication identification, and entityinformation that includes a unique identification of said RFID tag. 2.An apparatus according to claim 1, wherein the first digital certificatedefines a first level of secure access to said RFID tag; and the seconddigital certificate defines a second level of secure access to said RFIDtag, said second level of secure access being different from said firstlevel of secure access.
 3. An apparatus according to claim 1, whereinsaid wireless communications all conform to a predeterminedcommunications protocol.
 4. An apparatus according to claim 3, whereinsaid communications protocol is ISO 18000-7.
 5. A method of operating anRFID tag having a protocol residing in a security shim in memory,comprising: receiving, by said RFID tag, a wireless communication of anauthentication request from an RFID interrogator, the authenticationrequest including a first digital certificate unknown to said RFID tag,a transient public key, a random number, and a list identifying at leastone authentication technique; selecting, by the RFID tag, anauthentication technique from the list identifying at least oneauthentication technique; determining, by said RFID tag, withoutexternal authentication of said first digital certificate, whether saidfirst digital certificate is in a trust relationship with a seconddigital certificate that is different from said first digitalcertificate and that is known to said RFID tag.
 6. A method according toclaim 5, further comprising before said receiving: generating by saidRFID interrogator a transient keyset that includes the public key and acorresponding private key; generating by said RFID interrogator therandom number; and transmitting by said RFID interrogator saidauthentication request.
 7. A method according to claim 5, furthercomprising: generating, by said RFID tag, a second random number;encrypting, by said RFID tag, using said public key, said second randomnumber and an authentication identification identifying said selectedauthentication technique; and transmitting, by said RFID tag, to theRFID interrogator a communication that includes said encrypted secondrandom number, said encrypted authentication identification, and entityinformation that includes a unique identification of said RFID tag.
 8. Amethod according to claim 7, further comprising: receiving in saidauthentication request an identification of at least one encryptiontechnique; selecting by said RFID tag an encryption technique identifiedin said authentication request; wherein said encrypting by said RFID tagincludes encrypting an encryption identification identifying saidselected encryption technique; and wherein said transmitting includestransmitting said encrypted encryption identification in saidcommunication.
 9. A method according to claim 7, including after saidtransmitting: receiving by said RFID interrogator said communication;decrypting by said RFID interrogator, using a private key correspondingto said public key, said encrypted second random number andauthentication identification; computing by said RFID interrogator,according to said selected authentication technique, an authenticationvalue; generating by said RFID interrogator a third random number;signing, using said private key, information that includes saidauthentication value and said third random number; and transmitting bysaid RFID interrogator said information signed by said private key. 10.A method according to claim 7, including after said transmitting:receiving by said RFID tag information signed with a private keycorresponding to said public key, said information including a firstauthentication value computed according to said selected authenticationtechnique, and a third random number; verifying by said RFID tag, usingsaid public key, the signature of said signed information; computing bysaid RFID tag a second authentication value according to said selectedauthentication technique; comparing by said RFID tag said first andsecond authentication values to verify they are the same; deriving bysaid RFID tag, using the selected technique, a cryptographic keyset as afunction of said source information, said RFID tag information, and saidfirst, second and third random numbers; and transmitting by said RFIDtag a selected communication to the RFID interrogator.
 11. A methodaccording to claim 10, including after said transmitting of saidselected communication: receiving by said RFID interrogator saidselected communication; and deriving by said RFID interrogator, usingsaid selected technique, said cryptographic keyset as a function of saidRFID interrogator information, said RFID tag information, and saidfirst, second and third random numbers.